healer | f7fc6f165bfbe28b9961e8afe3c250dfd80399753342eb6f411ac83a300ac7d4

General

Target

f7fc6f165bfbe28b9961e8afe3c250dfd80399753342eb6f411ac83a300ac7d4.exe
Size

933KB
MD5

36238c0cd743c3e59c2850918485ff06
SHA1

c1f3a83c59ae9f209bb56bde695590f5dbeb10ea
SHA256

f7fc6f165bfbe28b9961e8afe3c250dfd80399753342eb6f411ac83a300ac7d4
SHA512

822b78b01ee7c1241fcbc9e5b29c75eaf80835bd2210215cbf06c3c7ade9c14379f75317e54a3c37f96d3c958574ba12241f02a6a3515adfa2531c14bf6293ad
SSDEEP

12288:KMrxy90GxG17OeI/FlC+TaJjWduJ5fmmTcXAq1zMVB9vrdLRLYX70Xd+4upiVUeH:LyL4OR/FlMlWsXfjof4NzqIUecpnmUm

Score

10^/10

healer dropper evasion persistence trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral1/memory/2552-28-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

Executes dropped EXE 4 IoCs

pid	Process
2604	v8875543.exe
2068	v0737248.exe
432	v3543856.exe
2536	a1979241.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v0737248.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v3543856.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f7fc6f165bfbe28b9961e8afe3c250dfd80399753342eb6f411ac83a300ac7d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v8875543.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2536 set thread context of 2552	2536	a1979241.exe	74

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2532	2536	WerFault.exe	73

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2552	AppLaunch.exe
2552	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2552	AppLaunch.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4420 wrote to memory of 2604	4420	f7fc6f165bfbe28b9961e8afe3c250dfd80399753342eb6f411ac83a300ac7d4.exe	70
PID 4420 wrote to memory of 2604	4420	f7fc6f165bfbe28b9961e8afe3c250dfd80399753342eb6f411ac83a300ac7d4.exe	70
PID 4420 wrote to memory of 2604	4420	f7fc6f165bfbe28b9961e8afe3c250dfd80399753342eb6f411ac83a300ac7d4.exe	70
PID 2604 wrote to memory of 2068	2604	v8875543.exe	71
PID 2604 wrote to memory of 2068	2604	v8875543.exe	71
PID 2604 wrote to memory of 2068	2604	v8875543.exe	71
PID 2068 wrote to memory of 432	2068	v0737248.exe	72
PID 2068 wrote to memory of 432	2068	v0737248.exe	72
PID 2068 wrote to memory of 432	2068	v0737248.exe	72
PID 432 wrote to memory of 2536	432	v3543856.exe	73
PID 432 wrote to memory of 2536	432	v3543856.exe	73
PID 432 wrote to memory of 2536	432	v3543856.exe	73
PID 2536 wrote to memory of 2552	2536	a1979241.exe	74
PID 2536 wrote to memory of 2552	2536	a1979241.exe	74
PID 2536 wrote to memory of 2552	2536	a1979241.exe	74
PID 2536 wrote to memory of 2552	2536	a1979241.exe	74
PID 2536 wrote to memory of 2552	2536	a1979241.exe	74
PID 2536 wrote to memory of 2552	2536	a1979241.exe	74
PID 2536 wrote to memory of 2552	2536	a1979241.exe	74
PID 2536 wrote to memory of 2552	2536	a1979241.exe	74

C:\Users\Admin\AppData\Local\Temp\f7fc6f165bfbe28b9961e8afe3c250dfd80399753342eb6f411ac83a300ac7d4.exe
"C:\Users\Admin\AppData\Local\Temp\f7fc6f165bfbe28b9961e8afe3c250dfd80399753342eb6f411ac83a300ac7d4.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4420
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8875543.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8875543.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0737248.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0737248.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2068
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3543856.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3543856.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:432
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1979241.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1979241.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2536
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2552
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 556
        6⤵
        Program crash
        
        PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8875543.exe

Filesize
830KB

MD5
a8b7ea6ffff2ce1a5de7d2fa6b70d90f

SHA1
df0763b883e1bba6a1ca2865ec1ace392c317fe8

SHA256
1201b91e4b2489153460e30ecd56cac1ef0f6b2b39cdde7be3176121da2c555f

SHA512
a73eac0cf133fd7f0f14cee33b75845f9469490217c5103819e4f21621de4650d26ad8edb87e26fc503bcf2d6b3ea09ebda58d5648d9192737b793203e816381

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8875543.exe

Filesize
830KB

MD5
a8b7ea6ffff2ce1a5de7d2fa6b70d90f

SHA1
df0763b883e1bba6a1ca2865ec1ace392c317fe8

SHA256
1201b91e4b2489153460e30ecd56cac1ef0f6b2b39cdde7be3176121da2c555f

SHA512
a73eac0cf133fd7f0f14cee33b75845f9469490217c5103819e4f21621de4650d26ad8edb87e26fc503bcf2d6b3ea09ebda58d5648d9192737b793203e816381

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0737248.exe

Filesize
602KB

MD5
41a16c369f41ed2622768b73207bb6c8

SHA1
32eb7a4fbe0245b95f0e4743db9a2ea91ae61a47

SHA256
060fa8046a65fc1f62564ec21f96308c22ab1553e1c9e3b51393852868cf4220

SHA512
aa23e2829905f05abc9a896e8aca21bb1482cbf9174b5c28debaed157da6c292e33d81d34f8efc716bebef265eec7dc8c4de642f877e9e6e149e9695f7360bba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0737248.exe

Filesize
602KB

MD5
41a16c369f41ed2622768b73207bb6c8

SHA1
32eb7a4fbe0245b95f0e4743db9a2ea91ae61a47

SHA256
060fa8046a65fc1f62564ec21f96308c22ab1553e1c9e3b51393852868cf4220

SHA512
aa23e2829905f05abc9a896e8aca21bb1482cbf9174b5c28debaed157da6c292e33d81d34f8efc716bebef265eec7dc8c4de642f877e9e6e149e9695f7360bba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3543856.exe

Filesize
343KB

MD5
f91042548d8cf1704a001445280b3e5e

SHA1
adcf1a486530cce9ca07154174bc432ca3e2bfbc

SHA256
43053eb7a47d895b5fb3b0045f3568b27f29e9389cef75a1b920e67f2f253c33

SHA512
d1b116d5601d3569e730d7367fd665395ffc0cc9e14e54ce5229799de4a6360933e1dd54d3004482e37e02350d9115947bce542c2c9ff1ec1add4fc4902335ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3543856.exe

Filesize
343KB

MD5
f91042548d8cf1704a001445280b3e5e

SHA1
adcf1a486530cce9ca07154174bc432ca3e2bfbc

SHA256
43053eb7a47d895b5fb3b0045f3568b27f29e9389cef75a1b920e67f2f253c33

SHA512
d1b116d5601d3569e730d7367fd665395ffc0cc9e14e54ce5229799de4a6360933e1dd54d3004482e37e02350d9115947bce542c2c9ff1ec1add4fc4902335ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1979241.exe

Filesize
220KB

MD5
d78f2528741ead70aec0c2d65c9490dc

SHA1
48b9e8150882e9b555441b55e818530cdbc16b19

SHA256
620a3e14d29f3caeac72a728bd6ac045f80ec6f7c6197161953ed1be503b682c

SHA512
ea7835314678461f15e284f6787172751aa8a514888f2b58b27ce701665db4a741111ea5064b3daadfc474efce9d1df3ceef2d4d54bccaa9a6828970914690d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1979241.exe

Filesize
220KB

MD5
d78f2528741ead70aec0c2d65c9490dc

SHA1
48b9e8150882e9b555441b55e818530cdbc16b19

SHA256
620a3e14d29f3caeac72a728bd6ac045f80ec6f7c6197161953ed1be503b682c

SHA512
ea7835314678461f15e284f6787172751aa8a514888f2b58b27ce701665db4a741111ea5064b3daadfc474efce9d1df3ceef2d4d54bccaa9a6828970914690d6

Download Submit
memory/2552-28-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2552-32-0x00000000731F0000-0x00000000738DE000-memory.dmp

Filesize
6.9MB

Download
memory/2552-41-0x00000000731F0000-0x00000000738DE000-memory.dmp

Filesize
6.9MB

Download
memory/2552-56-0x00000000731F0000-0x00000000738DE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads